Registration Deadline for Data Controllers

Registration Deadline for Data Controllers is Rapidly Approaching


As the extended deadline, which has been set for completing the registration at Turkey’s Data Controllers Registry (“VERBIS” or “Registry"), as the 30th of June 2020, is rapidly approaching, we would like to recapture the obligations applicable and the procedures to be consummated in this regard.


Are Foreign-Established Data Controllers Under the Registration Obligation?

Yes. Every non-resident data controller (“Foreign Entity”) processing personal data of the data subjects in Turkey as a data controller should register before VERBIS. Foreign data controllers processing personal data of data subjects in Turkey and that all such Foreign Entities must carry out their registration processes before the Registry by the deadline of 30thof June, 2020[1].

Although not indicating to a statutory requirement, the regulatory authority’s approach in this respect is similar to the interpretation of the GDPR concerning the territorial scope, thereof.


Are There Any Exemptions for Foreign-Established Data Controllers?

No. There are certain exemptions to the registration obligation, however, the local data protection regulations are not inclined to apply such exemptions in favor of foreign-established data controllers.


What is the Sanction of Not Completing the Registration Until the Deadline?

Furthermore, Turkey’s Data Protection Authority may request the related data processing activities regarding the personal data of Turkish individuals are ceased.  The foreign-established entities that do not complete their registration before VERBIS until 30th of June 2020 may be imposed with administrative fine ranging from 27,037- TL to 1,802,640[2] TRY. (approximately between 3,809 € to 254,00 €).


What are the Procedures to be Consummated by the Foreign-Established Data Controllers?

- Appointment of a Data Controller Representative

Foreign established entities processing personal data in Turkey are under the obligation to appoint a data controller representative (either a legal or a natural person), so as to comply with the registration obligation.


Depending on the requirements of the jurisdiction in which the appointing entity is established, such appointment may be accomplished via the issuance of either (i) an appointment resolution, or (ii) a power of attorney.


- Preparation of a Personal Data Processing Inventory

According to the local data protection regulations, the foreign-established data controllers are required to prepare a personal data processing inventory, which requires a content to a certain extent different from that of GDPR and contains at least the following information:

·      purposes of personal data processing activities

·      legal grounds of such processing activities,

·      data categories associated with the processing activities,

·      recipient groups of the processing activities,

·      data subject groups of the processing activities,

·      the maximum retention period required by the purposes of the processing,

·      personal data envisaged to be transferred abroad and measures taken concerning data security.


How Long Does it Take to Consummate These Procedures by the Foreign-Established Data Controllers?

Approximately 2 weeks. Due to the facts that (i) the necessary document to be issued for appointing the data controller representative requires notarization and apostil; (ii) the preparation of personal data processing inventory differs from its counterpart in GDPR and requires consultation with various stakeholders within the entity; and (iii) certain correspondences are conducted with the Registry prior to the registration, the procedures take sometime and are generally completed within a period of 2 weeks.


[1] Original due date was determined on 31st of December 2019. However, the Board issued a decision on the

27th of December 2019 and extended registration due date till 30th of June 2020.

[2] With the revolution rate of the year 2020